Adobe Connect DB, NASA Laptop, FreeBSD Breached This Week

Three very different organizations reported data breaches this week: Adobe's Connectusers.com forum, a stolen NASA laptop, and servers belonging to open source FreeBSD operating system. The incidents varied, including an attacker harvesting passwords from a company database, a laptop containing sensitive information being stolen out of a locked vehicle, and attackers intercepting private SSH keys.

Three very different organizations reported data breaches this week: Adobe's Connectusers.com forum, a stolen NASA laptop, and servers belonging to open source FreeBSD operating system.

The incidents varied, including an attacker harvesting passwords from a company database, a laptop containing sensitive information being stolen out of a locked vehicle, and attackers intercepting private SSH keys.

Adobe Connect Users ExposedAn individual with the name "ViruS_HimA" claimed to have stolen email addresses and passwords from Adobe's Connectusers.com forum database and published several hundred of them online earlier this week. The leaked addresses reportedly belong to Adobe employees, and military and government personnel (.mil, .gov).

"At this point of our investigation, it appears that the Connectusers.com forum site was compromised by an unauthorized third party. It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted," Adobe wrote.

If the leaked code sample really comes from Adobe, it appears the company used MD5 to hash the passwords, Paul Ducklin, head of technology, Asia Pacific at Sophos, wrote on the Naked Security blog. Not only is MD5 vulnerable to cracking, Adobe also neglected to salt password hashes, Ducklin said.

When a hash is salted, a collection of random bits is added to the data before being hashed. Since the attacker doesn't know what the random bits of data being added are, the hash becomes harder to crack using rainbow tables.

Adobe also didn't iterate the hash, or run it multiple times, Ducklin said. Running many iterations make it harder to brute-force passwords, he said.

It didn't help that the passwords themselves weren't that complex, Ducklin said, noting passwords such as "Letmein," "Passw0rd," and "123456." Passwords containing the Adobe product name (C0nn3ct) also were on the list.

The exposed addresses for Adobe employees appear to be legitimate, Tal Be'ery, a security researcher at Imperva, told SecurityWatch. He compared the names in the leaked list against LinkedIn.com and found employees that once worked for Adobe but were no longer employed there, suggesting the database was "pretty old," Be'ery said.

Data Unencrypted on NASA Laptop A laptop containing sensitive personally identifiable information of a "large number" of NASA employees and contractors was stolen Oct.31 from a locked vehicle, according to a memo from the National Aeronautics and Space Administration posted on spaceref.com Thursday. The laptop, a NASA-owned device assigned to an employee, was password protected, but "did not have whole disk encryption software," Richard Keegan Jr., associate deputy administrator at NASA, wrote in the memo.

As PCMag.com reported earlier, NASA has banned employees from removing laptops with sensitive information from its facilities unless whole disk encryption software is enabled or the sensitive files are individually encrypted. Keegan said the IT staff is under orders to encrypt the bulk of laptops by Nov. 21, and all laptops by Dec. 21.

An unencrypted laptop in a car is generally considered the number one cause of a data breach, Ondrej Krehel, information security officer at Identity Theft 911, told SecurityWatch. "It took a scientific group, like NASA, to prove it that no one is immune to such scenario. Full laptop encryption is considered the industry standard in such situations, and good news is that it does not require a rocket scientist to implement it," Krehel said.

FreeBSD Servers Taken OfflineServers belonging to BSD-based operating system FreeBSD were also breached this week. Administrators took the affected servers offline to investigate and checked whether attackers modified any of the source code files. The breach seems limited to the server hosting the source code for third-party packages, according to FreeBSD. None of the base repositories appear to be affected and none of the software packages have been modified.

"No part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way," FreeBSD administrators wrote in a detailed analysis of the breach.

Attackers likely compromised a FreeBSD developer's SSH (secure shell) key. SSH supports various authentication schemes to remotely login to non-Windows systems. Many administrators generate public and private keys and allow users to authenticate with the key pairs. The SSH server verifies the public key is correct, and the client software uses the private key to login.

An attacker has to know the password protecting the private key and access to the actual file containing the private key in order to successfully steal SSH key credentials. While harder to accomplish, it seems the FreeBSD attacker managed to do just that.

"This is a hearty reminder that a chain is only as strong as its weakest link," Ducklin said.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »